Malware creators often borrow ideas from each other. We have historically seen clusters of malware each trying to do something in a functionally similar way. For example, the coding may change, but it’s still an SQL injection attack at the heart of it.
Targeting the Internet of Things
Malicious actors seem to have discovered the Internet of Things (IoT) landscape in a big way. It helped that a distributed denial-of-service (DDoS) malware called Mirai was publicly posted a few weeks ago. Sample code always helps when you have crime on your mind but lack the skills required to commit it.
Mirai is best known for the list of default passwords of IoT-connected devices contained in its source code. These passwords enslave the botnet’s devices, since default passcodes are often not changed during setup. In fact, many of these low-level devices may not even offer the user a chance to change them. Having a nice, clear list of the keys to the kingdom is a useful tool for any apprentice botnet herder.
New Trojan, Old Tricks
Softpedia reported that a new Linux Trojan is trying the same IoT tricks as Mirai. The threat, called NyaDrop, launches a brute-force attack against telnet ports. Once in, this small malware checks out the infected system, opens a backdoor and downloads the Nya Trojan. It only happens if the IoT device is running the MIPS 32-bit architecture on the CPU, which is present in many low-level devices.
NyaDrop is all about getting the “nya” UNIX-specific ELF binary to the right place. This dropper scheme could allow the payload on the compromised devices to be updated at a later date.
Securing the IoT Landscape
Akamai has been scurrying around lately looking at the recent IoT-enabled DDoS attacks. The content delivery network and cloud provider observed some new techniques to hide IP addresses that depend on IoT devices for the grunt work, and issued a threat advisory to address this issue.
The so-called SSHowDowN Proxy attack exploits a vulnerability in OpenSSH that has been around for 12 years. If the IoT device supports remote secure shell (SSH) connections, malware actors can leverage default passwords to get in and fiddle with the device’s SSH options. They can then make an SSH tunnel through the device by using TCP forwarding so that anything sent to it remotely ends up looking as if it had originated from that device.
SecurityWeek listed some mitigation techniques for this, including advice for vendors to shut down all active SSH as a default setting on IoT devices.
Future implementation methods will determine the security of the IoT landscape going forward. But an exploitable mass of IoT devices is already out there for cybercriminals to hijack for their own nefarious purposes.